Authentication Mechanism Absence or Evasion - OTP
Need
Ensure that OTPs are validated properly during user registration.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Phoenix Framework for building web applications (version 1.6.0 and above)
Description
Non compliant code
defmodule MyAppWeb.UserController do
use MyAppWeb, :controller
def verify_otp(conn, %{'otp' => otp}) do
if String.length(otp) == 6 do
json(conn, %{status: 'success'})
else
json(conn, %{status: 'error'})
end
end
end
This code is insecure because it only checks if the length of the OTP is 6, but it doesn't verify if the OTP matches the one generated by the server. This allows an attacker to bypass the OTP verification by entering any six-digit number.
Steps
- Implement server-side OTP generation and storage (temporary, expires after a certain time or after it is used).
- Upon user OTP submission, verify it against the OTP stored on the server.
- Consider using OTP validation libraries to handle this more securely and efficiently.
Compliant code
defmodule MyAppWeb.UserController do
use MyAppWeb, :controller
def verify_otp(conn, %{'otp' => otp, 'user_id' => user_id}) do
stored_otp = get_stored_otp_for_user(user_id)
if otp == stored_otp do
json(conn, %{status: 'success'})
else
json(conn, %{status: 'error'})
end
end
end
This code is secure because it verifies the user's OTP against the one stored on the server, ensuring that only a correct OTP will pass the verification process.